TRUSTe Stung by Own Privacy Gaffe

In an ironic twist in the online privacy debate, TRUSTe, an organization that monitors Internet privacy issues, was caught violating its own privacy policy Thursday through the use of a third-party software program.

TRUSTe, a coalition of such online firms as America Online, Excite@Home and Microsoft, said it took steps to remove the offending programs associated with theCounter.com, which had the capacity to gather personal information from the browsers of visitors to TRUSTe’s home page.

TRUSTe announced late Thursday that it discontinued the use of theCounter.com’s software after just two weeks. CEO Bob Lewin said there is no evidence that any personal information was collected.

“As we advise other Web sites, the best practice in a case like this is to immediately eliminate the possibility that any information is being improperly transferred,” Lewin said.

Gotcha?

The situation began when Interhack Corporation announced that its Internet Privacy Project found that the use of theCounter.com put TRUSTe in apparent violation of its own privacy policy because a third party was involved.

However, in an interview with the E-Commerce Times, Interhack co-founder Matt Curtin said that it appears as though TRUSTe simply did not know the technical capability existed in theCounter.com’s software to track specific users.

Curtin said, “This is another example of building things up based on policy instead of based on what the technology is actually capable of doing.”

According to theCounter.com, the company shares ownership of the Web site data it collects, and is not bound by the policies of companies that use its product.

Plug Pulled

After reporters called TRUSTe to inquire about theCounter.com’s software, the feature was removed from the site. In a statement, the organization said it wanted to be able to track which pages on its site were getting the most visitors and chose the product specifically because it believed no personal data would be gathered.

Interhack, however, found that theCounter.com has the technical ability to engage in “detailed profiling” through use of cookies and a cache bug known as “meantime.”

TRUSTe has been a high-profile watchdog for online privacy issues. The organization recently touted a survey that found its imprint was the most trusted name on the Internet. The group also took a strong stand against Toysmart.com’s bid to sell customer information after that online retailer went bankrupt earlier this year, a sale that is now tied up in bankruptcy court.

Bad Timing

Just last week, the Pew Internet & American Life Project found that 86 percent of Americans would prefer that online companies ask them before collecting personal information and give consumers the chance to “opt-in” to the information-gathering schemes.

Meanwhile, Interhack clearly relished having caught TRUSTe’s misstep, posting the discovery on its main home page. “Perhaps we’ll see TRUSTe investigate itself and publish the results so we can understand just how TRUSTe came to allow such a violation of its visitors’ privacy,” Interhack said in a statement.

Policy or Infrastructure?

For Curtin, a self-described hacker, the issue is less about privacy policies and more about the construction of the Internet.

“Are we trying to create liability for people who violate privacy or should we be trying to build a system that doesn’t make such privacy violations possible in the first place?” he asked. “I’m definitely in the latter camp, but right now that makes me unpopular.”